主页 / 问题 / 851228
Accepted
Bleser
Asked:2020-07-06 22:24:18 +0000 UTC2020-07-06 22:24:18 +0000 UTC

如何正确生成证书以在 nginx 上设置 https?

  • 772

我想创建自己的证书来在nginx上配置https,网上有很多生成证书的例子,我什至在这里找到了这个工具
问题是当我尝试访问该地址时,我收到来自 Chromium 的错误。

Перейти на сайт example.net невозможно, так как его  
идентификационные данные зашифрованы, и Chrome не может их  
обработать. Это могло произойти из-за ошибки сети или атаки на сайт.  
Скорее всего, он заработает через некоторое время.

我将浏览器中的证书本身添加到“证书颁发机构”,但错误仍然存​​在。

nginx配置文件:

server {
    listen 80;
    return 301 https://$host$request_uri;
}

server {

    listen 443 ssl;
    server_name example.net;

    ssl_certificate           /ssl/cert.crt;
    ssl_certificate_key       /ssl/cert.key;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    access_log            /var/log/nginx/fines-auth.log;

    location /auth {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      proxy_pass          http://0.0.0.0:3000;
      proxy_read_timeout  90;

      proxy_redirect      http://0.0.0.0:3000 https://example.net;
}

}

nginx

1 个回答

  1. Best Answer

    资料来源:http ://blog.regolit.com/2010/02/16/personal-ca-and-self-signed-certificates

    1. 为证书颁发机构 (CA) 生成密钥 $ openssl genrsa -des3 -out ca.key 4096

    2. 为 CA 创建证书
      $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt

    3. 为服务器创建密钥
      $ openssl genrsa -des3 -out server.key 4096

    4. 为服务器创建证书
      4.1 openssl的配置文件,保存在当前文件夹中,名称为openssl-csr.cnf 

      ###############################################
# Remaining options below  should not be edited
###############################################

[ req ]
default_bits = 4096
distinguished_name  = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                  = Country Name (2 letter code)
countryName_default          = RU
stateOrProvinceName          = State or Province Name (full name)
stateOrProvinceName_default  = Russia
localityName                 = Locality Name (eg, city)
localityName_default         = Irkutsk
organizationName             = Organization Name (eg, company)
organizationName_default     = Example, Co.
commonName                   = Common Name (eg, YOUR name or FQDN)
commonName_max               = 64

[ req_ext ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

###############################################
# Edit this line to set subjectAltName contents
###############################################
subjectAltName          = DNS:example.com, DNS:www.example.com, DNS:example.net

      4.2 证书生成
      $ openssl req -new -key server.key -config openssl-csr.cnf -reqexts req_ext -out server.csr

    5. 服务器证书签名、CA证书
      $ openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -set_serial 01 -extfile openssl-csr.cnf -extensions req_ext -in server.csr -out server.crt

    Files server.(csr, key) - 连接到服务器
    File ca.csr - 需要在证书颁发机构中添加到浏览器

    • 2

相关问题